2 * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #include <arpa/nameser.h>
36 #include <arpa/nameser8_compat.h>
39 #include <sys/socket.h>
41 #include <arpa/inet.h>
42 #include <netinet/in.h>
43 #include <netinet/in_systm.h>
44 #include <netinet/ip.h>
64 WORD req_version = MAKEWORD(2, 2);
68 static int running = 1;
69 static char *topdomain;
70 static char password[33];
71 static struct encoder *b32;
72 static int created_users;
76 static in_addr_t my_ip;
79 static in_addr_t ns_ip;
84 #if !defined(BSD) && !defined(__GLIBC__)
85 static char *__progname;
88 static int read_dns(int, struct query *);
89 static void write_dns(int, struct query *, char *, int);
102 #define LOG_WARNING 4
107 syslog(int a, const char *str, ...)
109 /* TODO: implement (add to event log), move to common.c */
115 check_user_and_ip(int userid, struct query *q)
117 struct sockaddr_in *tempin;
119 if (userid < 0 || userid >= created_users ) {
122 if (!users[userid].active) {
126 /* return early if IP checking is disabled */
131 tempin = (struct sockaddr_in *) &(q->from);
132 return memcmp(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
136 tunnel_tun(int tun_fd, int dns_fd)
138 unsigned long outlen;
145 if ((read = read_tun(tun_fd, in, sizeof(in))) <= 0)
148 /* find target ip in packet, in is padded with 4 bytes TUN header */
149 header = (struct ip*) (in + 4);
150 userid = find_user_by_ip(header->ip_dst.s_addr);
154 outlen = sizeof(out);
155 compress2((uint8_t*)out, &outlen, (uint8_t*)in, read, 9);
157 /* if another packet is queued, throw away this one. TODO build queue */
158 if (users[userid].outpacket.len == 0) {
159 memcpy(users[userid].outpacket.data, out, outlen);
160 users[userid].outpacket.len = outlen;
161 users[userid].outpacket.offset = 0;
162 users[userid].outpacket.sentlen = 0;
163 users[userid].outpacket.seqno = (++users[userid].outpacket.seqno & 7);
164 users[userid].outpacket.fragment = 0;
178 send_version_response(int fd, version_ack_t ack, uint32_t payload, int userid, struct query *q)
184 strncpy(out, "VACK", sizeof(out));
187 strncpy(out, "VNAK", sizeof(out));
190 strncpy(out, "VFUL", sizeof(out));
194 out[4] = ((payload >> 24) & 0xff);
195 out[5] = ((payload >> 16) & 0xff);
196 out[6] = ((payload >> 8) & 0xff);
197 out[7] = ((payload) & 0xff);
198 out[8] = userid & 0xff;
200 write_dns(fd, q, out, sizeof(out));
204 send_chunk(int dns_fd, int userid) {
209 datalen = MIN(users[userid].fragsize, users[userid].outpacket.len - users[userid].outpacket.offset);
211 if (datalen && users[userid].outpacket.sentlen > 0 &&
213 users[userid].outpacket.seqno != users[userid].out_acked_seqno ||
214 users[userid].outpacket.fragment != users[userid].out_acked_fragment
218 /* Still waiting on latest ack, send nothing */
221 /* TODO : count down and discard packet if no acks arrive within X queries */
223 memcpy(&pkt[2], &users[userid].outpacket.data[users[userid].outpacket.offset], datalen);
224 users[userid].outpacket.sentlen = datalen;
225 last = (users[userid].outpacket.len == users[userid].outpacket.offset + users[userid].outpacket.sentlen);
227 /* Increase fragment# when sending data with offset */
228 if (users[userid].outpacket.offset && datalen)
229 users[userid].outpacket.fragment++;
232 /* Build downstream data header (see doc/proto_xxxxxxxx.txt) */
234 /* First byte is 1 bit compression flag, 3 bits upstream seqno, 4 bits upstream fragment */
235 pkt[0] = (1<<7) | ((users[userid].inpacket.seqno & 7) << 4) | (users[userid].inpacket.fragment & 15);
236 /* Second byte is 3 bits downstream seqno, 4 bits downstream fragment, 1 bit last flag */
237 pkt[1] = ((users[userid].outpacket.seqno & 7) << 5) |
238 ((users[userid].outpacket.fragment & 15) << 1) | (last & 1);
241 fprintf(stderr, "OUT pkt seq# %d, frag %d (last=%d), offset %d, fragsize %d, total %d, to user %d\n",
242 users[userid].outpacket.seqno & 7, users[userid].outpacket.fragment & 15,
243 last, users[userid].outpacket.offset, datalen, users[userid].outpacket.len, userid);
245 write_dns(dns_fd, &users[userid].q, pkt, datalen + 2);
246 users[userid].q.id = 0;
248 if (users[userid].outpacket.len > 0 &&
249 users[userid].outpacket.len == users[userid].outpacket.sentlen) {
251 /* Whole packet was sent in one chunk, dont wait for ack */
252 users[userid].outpacket.len = 0;
253 users[userid].outpacket.offset = 0;
254 users[userid].outpacket.sentlen = 0;
259 update_downstream_seqno(int dns_fd, int userid, int down_seq, int down_frag)
261 /* If we just read a new packet from tun we have not sent a fragment of, just send it */
262 if (users[userid].outpacket.len > 0 && users[userid].outpacket.sentlen == 0) {
263 send_chunk(dns_fd, userid);
267 /* otherwise, check if we received ack on a fragment and can send next */
268 if (users[userid].outpacket.len > 0 &&
269 users[userid].outpacket.seqno == down_seq && users[userid].outpacket.fragment == down_frag) {
271 if (down_seq != users[userid].out_acked_seqno || down_frag != users[userid].out_acked_fragment) {
272 /* Received ACK on downstream fragment */
273 users[userid].outpacket.offset += users[userid].outpacket.sentlen;
274 users[userid].outpacket.sentlen = 0;
276 /* Is packet done? */
277 if (users[userid].outpacket.offset == users[userid].outpacket.len) {
278 users[userid].outpacket.len = 0;
279 users[userid].outpacket.offset = 0;
280 users[userid].outpacket.sentlen = 0;
283 users[userid].out_acked_seqno = down_seq;
284 users[userid].out_acked_fragment = down_frag;
286 /* Send reply if waiting */
287 if (users[userid].outpacket.len > 0) {
288 send_chunk(dns_fd, userid);
295 handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
297 struct in_addr tempip;
299 unsigned long outlen;
303 char unpacked[64*1024];
313 memcpy(in, q->name, MIN(domain_len, sizeof(in)));
315 if(in[0] == 'V' || in[0] == 'v') {
316 read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
317 /* Version greeting, compare and send ack/nak */
319 /* Received V + 32bits version */
320 version = (((unpacked[0] & 0xff) << 24) |
321 ((unpacked[1] & 0xff) << 16) |
322 ((unpacked[2] & 0xff) << 8) |
323 ((unpacked[3] & 0xff)));
326 if (version == VERSION) {
327 userid = find_available_user();
329 struct sockaddr_in *tempin;
331 users[userid].seed = rand();
332 /* Store remote IP number */
333 tempin = (struct sockaddr_in *) &(q->from);
334 memcpy(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
336 memcpy(&(users[userid].q), q, sizeof(struct query));
337 users[userid].encoder = get_base32_encoder();
338 send_version_response(dns_fd, VERSION_ACK, users[userid].seed, userid, q);
339 syslog(LOG_INFO, "accepted version for user #%d from %s",
340 userid, inet_ntoa(tempin->sin_addr));
341 users[userid].q.id = 0;
343 /* No space for another user */
344 send_version_response(dns_fd, VERSION_FULL, created_users, 0, q);
345 syslog(LOG_INFO, "dropped user from %s, server full",
346 inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
349 send_version_response(dns_fd, VERSION_NACK, VERSION, 0, q);
350 syslog(LOG_INFO, "dropped user from %s, sent bad version %08X",
351 inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr), version);
354 } else if(in[0] == 'L' || in[0] == 'l') {
355 read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
356 /* Login phase, handle auth */
357 userid = unpacked[0];
359 if (check_user_and_ip(userid, q) != 0) {
360 write_dns(dns_fd, q, "BADIP", 5);
361 syslog(LOG_WARNING, "dropped login request from user #%d from unexpected source %s",
362 userid, inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
365 users[userid].last_pkt = time(NULL);
366 login_calculate(logindata, 16, password, users[userid].seed);
368 if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
369 /* Login ok, send ip/mtu/netmask info */
371 tempip.s_addr = my_ip;
372 tmp[0] = strdup(inet_ntoa(tempip));
373 tempip.s_addr = users[userid].tun_ip;
374 tmp[1] = strdup(inet_ntoa(tempip));
376 read = snprintf(out, sizeof(out), "%s-%s-%d-%d",
377 tmp[0], tmp[1], my_mtu, netmask);
379 write_dns(dns_fd, q, out, read);
381 syslog(LOG_NOTICE, "accepted password from user #%d, given IP %s", userid, tmp[1]);
386 write_dns(dns_fd, q, "LNAK", 4);
387 syslog(LOG_WARNING, "rejected login request from user #%d from %s, bad password",
388 userid, inet_ntoa(((struct sockaddr_in *) &q->from)->sin_addr));
392 } else if(in[0] == 'Z' || in[0] == 'z') {
393 /* Check for case conservation and chars not allowed according to RFC */
395 /* Reply with received hostname as data */
396 write_dns(dns_fd, q, in, domain_len);
398 } else if(in[0] == 'S' || in[0] == 's') {
401 if (domain_len != 4) { /* len = 4, example: "S15." */
402 write_dns(dns_fd, q, "BADLEN", 6);
406 userid = b32_8to5(in[1]);
408 if (check_user_and_ip(userid, q) != 0) {
409 write_dns(dns_fd, q, "BADIP", 5);
410 return; /* illegal id */
413 codec = b32_8to5(in[2]);
416 case 5: /* 5 bits per byte = base32 */
417 enc = get_base32_encoder();
418 user_switch_codec(userid, enc);
419 write_dns(dns_fd, q, enc->name, strlen(enc->name));
421 case 6: /* 6 bits per byte = base64 */
422 enc = get_base64_encoder();
423 user_switch_codec(userid, enc);
424 write_dns(dns_fd, q, enc->name, strlen(enc->name));
427 write_dns(dns_fd, q, "BADCODEC", 8);
431 } else if(in[0] == 'R' || in[0] == 'r') {
434 /* Downstream fragsize probe packet */
435 userid = (b32_8to5(in[1]) >> 1) & 15;
436 if (check_user_and_ip(userid, q) != 0) {
437 write_dns(dns_fd, q, "BADIP", 5);
438 return; /* illegal id */
441 req_frag_size = ((b32_8to5(in[1]) & 1) << 10) | ((b32_8to5(in[2]) & 31) << 5) | (b32_8to5(in[3]) & 31);
442 if (req_frag_size < 2 || req_frag_size > 2047) {
443 write_dns(dns_fd, q, "BADFRAG", 7);
447 memset(buf, 0, sizeof(buf));
448 buf[0] = (req_frag_size >> 8) & 0xff;
449 buf[1] = req_frag_size & 0xff;
450 write_dns(dns_fd, q, buf, req_frag_size);
453 } else if(in[0] == 'N' || in[0] == 'n') {
456 read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
457 /* Downstream fragsize packet */
458 userid = unpacked[0];
459 if (check_user_and_ip(userid, q) != 0) {
460 write_dns(dns_fd, q, "BADIP", 5);
461 return; /* illegal id */
464 max_frag_size = ((unpacked[1] & 0xff) << 8) | (unpacked[2] & 0xff);
465 if (max_frag_size < 2) {
466 write_dns(dns_fd, q, "BADFRAG", 7);
468 users[userid].fragsize = max_frag_size;
469 write_dns(dns_fd, q, &unpacked[1], 2);
472 } else if(in[0] == 'P' || in[0] == 'p') {
476 read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
477 /* Ping packet, store userid */
478 userid = unpacked[0];
479 if (check_user_and_ip(userid, q) != 0) {
480 write_dns(dns_fd, q, "BADIP", 5);
481 return; /* illegal id */
485 fprintf(stderr, "PING pkt from user %d\n", userid);
488 if (users[userid].q.id != 0) {
489 /* Send reply on earlier query before overwriting */
490 send_chunk(dns_fd, userid);
493 dn_seq = unpacked[1] >> 4;
494 dn_frag = unpacked[1] & 15;
495 memcpy(&(users[userid].q), q, sizeof(struct query));
496 users[userid].last_pkt = time(NULL);
498 /* Update seqno and maybe send immediate response packet */
499 update_downstream_seqno(dns_fd, userid, dn_seq, dn_frag);
500 } else if((in[0] >= '0' && in[0] <= '9')
501 || (in[0] >= 'a' && in[0] <= 'f')
502 || (in[0] >= 'A' && in[0] <= 'F')) {
503 if ((in[0] >= '0' && in[0] <= '9'))
505 if ((in[0] >= 'a' && in[0] <= 'f'))
506 code = in[0] - 'a' + 10;
507 if ((in[0] >= 'A' && in[0] <= 'F'))
508 code = in[0] - 'A' + 10;
511 /* Check user and sending ip number */
512 if (check_user_and_ip(userid, q) != 0) {
513 write_dns(dns_fd, q, "BADIP", 5);
515 /* Decode data header */
516 int up_seq = (b32_8to5(in[1]) >> 2) & 7;
517 int up_frag = ((b32_8to5(in[1]) & 3) << 2) | ((b32_8to5(in[2]) >> 3) & 3);
518 int dn_seq = (b32_8to5(in[2]) & 7);
519 int dn_frag = b32_8to5(in[3]) >> 1;
520 int lastfrag = b32_8to5(in[3]) & 1;
522 if (users[userid].q.id != 0) {
523 /* Send reply on earlier query before overwriting */
524 send_chunk(dns_fd, userid);
527 /* Update query and time info for user */
528 users[userid].last_pkt = time(NULL);
529 memcpy(&(users[userid].q), q, sizeof(struct query));
531 if (up_seq == users[userid].inpacket.seqno &&
532 up_frag <= users[userid].inpacket.fragment) {
533 /* Got repeated old packet, skip it */
535 fprintf(stderr, "IN pkt seq# %d, frag %d, dropped duplicate\n",
538 /* Update seqno and maybe send immediate response packet */
539 update_downstream_seqno(dns_fd, userid, dn_seq, dn_frag);
542 if (up_seq != users[userid].inpacket.seqno) {
543 /* New packet has arrived */
544 users[userid].inpacket.seqno = up_seq;
545 users[userid].inpacket.len = 0;
546 users[userid].inpacket.offset = 0;
548 users[userid].inpacket.fragment = up_frag;
550 /* decode with this users encoding */
551 read = unpack_data(unpacked, sizeof(unpacked), &(in[4]), domain_len - 4,
552 users[userid].encoder);
554 /* copy to packet buffer, update length */
555 memcpy(users[userid].inpacket.data + users[userid].inpacket.offset, unpacked, read);
556 users[userid].inpacket.len += read;
557 users[userid].inpacket.offset += read;
560 fprintf(stderr, "IN pkt seq# %d, frag %d (last=%d), fragsize %d, total %d, from user %d\n",
561 up_seq, up_frag, lastfrag, read, users[userid].inpacket.len, userid);
564 if (lastfrag & 1) { /* packet is complete */
566 outlen = sizeof(out);
567 ret = uncompress((uint8_t*)out, &outlen,
568 (uint8_t*)users[userid].inpacket.data, users[userid].inpacket.len);
571 hdr = (struct ip*) (out + 4);
572 touser = find_user_by_ip(hdr->ip_dst.s_addr);
575 /* send the uncompressed packet to tun device */
576 write_tun(tun_fd, out, outlen);
578 /* send the compressed packet to other client
579 * if another packet is queued, throw away this one. TODO build queue */
580 if (users[touser].outpacket.len == 0) {
581 memcpy(users[touser].outpacket.data, users[userid].inpacket.data, users[userid].inpacket.len);
582 users[touser].outpacket.len = users[userid].inpacket.len;
586 fprintf(stderr, "Discarded data, uncompress() result: %d\n", ret);
588 users[userid].inpacket.len = users[userid].inpacket.offset = 0;
590 /* Update seqno and maybe send immediate response packet */
591 update_downstream_seqno(dns_fd, userid, dn_seq, dn_frag);
597 handle_ns_request(int dns_fd, struct query *q)
602 if (ns_ip != INADDR_ANY) {
603 memcpy(&q->destination.s_addr, &ns_ip, sizeof(in_addr_t));
606 len = dns_encode_ns_response(buf, sizeof(buf), q, topdomain);
609 struct sockaddr_in *tempin;
610 tempin = (struct sockaddr_in *) &(q->from);
611 fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes NS reply\n",
612 inet_ntoa(tempin->sin_addr), q->type, q->name, len);
614 if (sendto(dns_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) {
615 warn("ns reply send error");
620 forward_query(int bind_fd, struct query *q)
625 struct sockaddr_in *myaddr;
628 len = dns_encode(buf, sizeof(buf), q, QR_QUERY, q->name, strlen(q->name));
630 /* Store sockaddr for q->id */
631 memcpy(&(fwq.addr), &(q->from), q->fromlen);
632 fwq.addrlen = q->fromlen;
636 newaddr = inet_addr("127.0.0.1");
637 myaddr = (struct sockaddr_in *) &(q->from);
638 memcpy(&(myaddr->sin_addr), &newaddr, sizeof(in_addr_t));
639 myaddr->sin_port = htons(bind_port);
642 fprintf(stderr, "TX: NS reply \n");
645 if (sendto(bind_fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen) <= 0) {
646 warn("forward query error");
651 tunnel_bind(int bind_fd, int dns_fd)
653 char packet[64*1024];
654 struct sockaddr_in from;
656 struct fw_query *query;
660 fromlen = sizeof(struct sockaddr);
661 r = recvfrom(bind_fd, packet, sizeof(packet), 0,
662 (struct sockaddr*)&from, &fromlen);
667 id = dns_get_id(packet, r);
670 fprintf(stderr, "RX: Got response on query %u from DNS\n", (id & 0xFFFF));
673 /* Get sockaddr from id */
674 fw_query_get(id, &query);
675 if (!query && debug >= 2) {
676 fprintf(stderr, "Lost sender of id %u, dropping reply\n", (id & 0xFFFF));
681 struct sockaddr_in *in;
682 in = (struct sockaddr_in *) &(query->addr);
683 fprintf(stderr, "TX: client %s id %u, %d bytes\n",
684 inet_ntoa(in->sin_addr), (id & 0xffff), r);
687 if (sendto(dns_fd, packet, r, 0, (const struct sockaddr *) &(query->addr),
688 query->addrlen) <= 0) {
689 warn("forward reply error");
696 tunnel_dns(int tun_fd, int dns_fd, int bind_fd)
702 int inside_topdomain;
704 if ((read = read_dns(dns_fd, &q)) <= 0)
708 struct sockaddr_in *tempin;
709 tempin = (struct sockaddr_in *) &(q.from);
710 fprintf(stderr, "RX: client %s, type %d, name %s\n",
711 inet_ntoa(tempin->sin_addr), q.type, q.name);
714 domain = strstr(q.name, topdomain);
715 inside_topdomain = 0;
717 domain_len = (int) (domain - q.name);
718 if (domain_len + strlen(topdomain) == strlen(q.name)) {
719 inside_topdomain = 1;
723 if (inside_topdomain) {
724 /* This is a query we can handle */
727 handle_null_request(tun_fd, dns_fd, &q, domain_len);
730 handle_ns_request(dns_fd, &q);
736 /* Forward query to other port ? */
738 forward_query(bind_fd, &q);
745 tunnel(int tun_fd, int dns_fd, int bind_fd)
753 if (users_waiting_on_reply()) {
763 FD_SET(dns_fd, &fds);
767 /* wait for replies from real DNS */
768 FD_SET(bind_fd, &fds);
769 maxfd = MAX(bind_fd, maxfd);
772 /* TODO : use some kind of packet queue */
773 if(!all_users_waiting_to_send()) {
774 FD_SET(tun_fd, &fds);
775 maxfd = MAX(tun_fd, maxfd);
778 i = select(maxfd + 1, &fds, NULL, NULL, &tv);
788 for (j = 0; j < USERS; j++) {
789 if (users[j].q.id != 0) {
790 send_chunk(dns_fd, j);
794 if(FD_ISSET(tun_fd, &fds)) {
795 tunnel_tun(tun_fd, dns_fd);
798 if(FD_ISSET(dns_fd, &fds)) {
799 tunnel_dns(tun_fd, dns_fd, bind_fd);
802 if(FD_ISSET(bind_fd, &fds)) {
803 tunnel_bind(bind_fd, dns_fd);
813 read_dns(int fd, struct query *q)
815 struct sockaddr_in from;
817 char packet[64*1024];
823 struct cmsghdr *cmsg;
825 addrlen = sizeof(struct sockaddr);
826 iov.iov_base = packet;
827 iov.iov_len = sizeof(packet);
829 msg.msg_name = (caddr_t) &from;
830 msg.msg_namelen = (unsigned) addrlen;
833 msg.msg_control = address;
834 msg.msg_controllen = sizeof(address);
837 r = recvmsg(fd, &msg, 0);
839 addrlen = sizeof(struct sockaddr);
840 r = recvfrom(fd, packet, sizeof(packet), 0, (struct sockaddr*)&from, &addrlen);
841 #endif /* !WINDOWS32 */
844 dns_decode(NULL, 0, q, QR_QUERY, packet, r);
845 memcpy((struct sockaddr*)&q->from, (struct sockaddr*)&from, addrlen);
846 q->fromlen = addrlen;
849 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL;
850 cmsg = CMSG_NXTHDR(&msg, cmsg)) {
852 if (cmsg->cmsg_level == IPPROTO_IP &&
853 cmsg->cmsg_type == DSTADDR_SOCKOPT) {
855 q->destination = *dstaddr(cmsg);
861 return strlen(q->name);
871 write_dns(int fd, struct query *q, char *data, int datalen)
876 len = dns_encode(buf, sizeof(buf), q, QR_ANSWER, data, datalen);
879 struct sockaddr_in *tempin;
880 tempin = (struct sockaddr_in *) &(q->from);
881 fprintf(stderr, "TX: client %s, type %d, name %s, %d bytes data\n",
882 inet_ntoa(tempin->sin_addr), q->type, q->name, datalen);
885 sendto(fd, buf, len, 0, (struct sockaddr*)&q->from, q->fromlen);
890 extern char *__progname;
892 fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
893 "[-t chrootdir] [-d device] [-m mtu] "
894 "[-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password]"
895 " tunnel_ip[/netmask] topdomain\n", __progname);
901 extern char *__progname;
903 fprintf(stderr, "iodine IP over DNS tunneling server\n");
904 fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
905 "[-t chrootdir] [-d device] [-m mtu] "
906 "[-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password]"
907 " tunnel_ip[/netmask] topdomain\n", __progname);
908 fprintf(stderr, " -v to print version info and exit\n");
909 fprintf(stderr, " -h to print this help and exit\n");
910 fprintf(stderr, " -c to disable check of client IP/port on each request\n");
911 fprintf(stderr, " -s to skip creating and configuring the tun device, "
912 "which then has to be created manually\n");
913 fprintf(stderr, " -f to keep running in foreground\n");
914 fprintf(stderr, " -D to increase debug level\n");
915 fprintf(stderr, " -u name to drop privileges and run as user 'name'\n");
916 fprintf(stderr, " -t dir to chroot to directory dir\n");
917 fprintf(stderr, " -d device to set tunnel device name\n");
918 fprintf(stderr, " -m mtu to set tunnel device mtu\n");
919 fprintf(stderr, " -l ip address to listen on for incoming dns traffic "
920 "(default 0.0.0.0)\n");
921 fprintf(stderr, " -p port to listen on for incoming dns traffic (default 53)\n");
922 fprintf(stderr, " -n ip to respond with to NS queries\n");
923 fprintf(stderr, " -b port to forward normal DNS queries to (on localhost)\n");
924 fprintf(stderr, " -P password used for authentication (max 32 chars will be used)\n");
925 fprintf(stderr, "tunnel_ip is the IP number of the local tunnel interface.\n");
926 fprintf(stderr, " /netmask sets the size of the tunnel network.\n");
927 fprintf(stderr, "topdomain is the FQDN that is delegated to this server.\n");
933 printf("iodine IP over DNS tunneling server\n");
934 printf("version: 0.5.1 from 2009-03-21\n");
939 main(int argc, char **argv)
941 extern char *__progname;
953 /* settings for forwarding normal DNS to
954 * local real DNS server */
971 listen_ip = INADDR_ANY;
979 b32 = get_base32_encoder();
982 WSAStartup(req_version, &wsa_data);
985 #if !defined(BSD) && !defined(__GLIBC__)
986 __progname = strrchr(argv[0], '/');
987 if (__progname == NULL)
988 __progname = argv[0];
993 memset(password, 0, sizeof(password));
997 while ((choice = getopt(argc, argv, "vcsfhDu:t:d:m:l:p:n:b:P:")) != -1) {
1030 listen_ip = inet_addr(optarg);
1033 port = atoi(optarg);
1036 ns_ip = inet_addr(optarg);
1040 bind_port = atoi(optarg);
1043 strncpy(password, optarg, sizeof(password));
1044 password[sizeof(password)-1] = 0;
1046 /* XXX: find better way of cleaning up ps(1) */
1047 memset(optarg, 0, strlen(optarg));
1058 check_superuser(usage);
1063 netsize = strchr(argv[0], '/');
1067 netmask = atoi(netsize);
1070 my_ip = inet_addr(argv[0]);
1072 if (my_ip == INADDR_NONE) {
1073 warnx("Bad IP address to use inside tunnel.\n");
1077 topdomain = strdup(argv[1]);
1078 if(strlen(topdomain) <= 128) {
1079 if(check_topdomain(topdomain)) {
1080 warnx("Topdomain contains invalid characters.\n");
1084 warnx("Use a topdomain max 128 chars long.\n");
1088 if (username != NULL) {
1090 if ((pw = getpwnam(username)) == NULL) {
1091 warnx("User %s does not exist!\n", username);
1098 warnx("Bad MTU given.\n");
1102 if(port < 1 || port > 65535) {
1103 warnx("Bad port number given.\n");
1108 if (bind_port < 1 || bind_port > 65535 || bind_port == port) {
1109 warnx("Bad DNS server port number given.\n");
1113 fprintf(stderr, "Requests for domains outside of %s will be forwarded to port %d\n",
1114 topdomain, bind_port);
1118 fprintf(stderr, "ALERT! Other dns servers expect you to run on port 53.\n");
1119 fprintf(stderr, "You must manually forward port 53 to port %d for things to work.\n", port);
1123 fprintf(stderr, "Debug level %d enabled, will stay in foreground.\n", debug);
1124 fprintf(stderr, "Add more -D switches to set higher debug level.\n");
1128 if (listen_ip == INADDR_NONE) {
1129 warnx("Bad IP address to listen on.\n");
1133 if (ns_ip == INADDR_NONE) {
1134 warnx("Bad IP address to return as nameserver.\n");
1137 if (netmask > 30 || netmask < 8) {
1138 warnx("Bad netmask (%d bits). Use 8-30 bits.\n", netmask);
1142 if (strlen(password) == 0)
1143 read_password(password, sizeof(password));
1145 if ((tun_fd = open_tun(device)) == -1)
1148 if (tun_setip(argv[0], netmask) != 0 || tun_setmtu(mtu) != 0)
1150 if ((dnsd_fd = open_dns(port, listen_ip)) == -1)
1153 if ((bind_fd = open_dns(0, INADDR_ANY)) == -1)
1158 created_users = init_users(my_ip, netmask);
1160 if (created_users < USERS) {
1161 fprintf(stderr, "Limiting to %d simultaneous users because of netmask /%d\n",
1162 created_users, netmask);
1164 fprintf(stderr, "Listening to dns for domain %s\n", topdomain);
1166 if (foreground == 0)
1169 if (newroot != NULL)
1172 signal(SIGINT, sigint);
1173 if (username != NULL) {
1176 gids[0] = pw->pw_gid;
1177 if (setgroups(1, gids) < 0 || setgid(pw->pw_gid) < 0 || setuid(pw->pw_uid) < 0) {
1178 warnx("Could not switch to user %s!\n", username);
1185 openlog(__progname, LOG_NOWAIT, LOG_DAEMON);
1187 syslog(LOG_INFO, "started, listening on port %d", port);
1189 tunnel(tun_fd, dnsd_fd, bind_fd);
1191 syslog(LOG_INFO, "stopping");
ToastFreeware / debian / iodine.git / blob